Language

Search

4.9 NTS (NAT Traversal Set of rules)

Connection-ﬁltering-NATs are becoming increasingly frequent, and this is a situation thatdiﬁcults the connectivity between peers. This set of rules introduces the extrafunctionality to handle those peers that are behind restricted-cone NATs and symmetricNATs.

The DBS module enables the communication for those peers that are behind full-coneNATs and peers that are behind those more restrictive NATs but that have dedicated anopen port for the P2PSP traﬃc, but in the rest of the cases NATs will block theincoming packets. In order to known the reason of that problem, let’s examine thebehaviour of restricted-cone and symmetric NATs.

When a restricted-cone NAT is used, the NAT entries can have four or ﬁve ﬁelds,depending on the exact type of NAT. Compared to a full-cone NAT, restricted-cone NATsentries have a fourth ﬁeld which memorizes the destination IP address of the outcomingpacket∗∗Outcoming packets go from the private network towards the Internet.,i.e., we have a translation entry such as:

RCNE = (public source IP address 𝒲,FCNE)

where RCNE stands for Restricted-Cone Nat Entry. Therefore, an incoming packet can crossthe NAT only if it comes from a proccess that is running at a host whose IP address is𝒲.

If the NAT is a port-restricted-cone one, NAT entries become:

PRCNE = (public source port 𝒱,RCNE)

where PRCNE stands for Port-Restricted Cone Nat Entry. In this case the NATforwards the packet only if it was originated at the (public source port𝒱, public sourceIP address 𝒲)end-point.

It is important to notice that in a cone NAT (restricted ornot) only a public NAT port is assigned to each (private IP address𝒴, privateport 𝒵)end-point. This means that, although a peer is behind a cone NAT, the peers can beaddressed using the unique public NAT end-point that the NAT has selected to create thecorresponding translation entry. Thus, in order to reach the NAT-ed peer the only actionthat must be previously performed is to send a packet from this (private) peerto the interlocutor (public) peer, something that is already performed in theDBS.

Let us suppose that a new peer Xwants to join the team. Following the DBS, whenXis joining the team it receives the list of peers and sends a [hello]message to each peer of the list. These messages will be received bythose peers that run at public hosts or full-cone NAT-ed hosts, but nototherwise.∗∗Notice also that, if Xis behind a NAT, these [hello] messages creates one or more translation entries in the NAT ofXthat makes possible that the rest of peers of the team reachX.To solve thisproblem, when a peer Xwant to join the team, the splitter can send to the all NAT-ed peers of theteam††Notice that in order to apply this rule, the splitter must know if a peer is behind a NAT or not.For this reason, it is compulsory that a NTS-graded peer implements also the EMS (seeSection4.8).the X’send-point using the message:

[say hello to (X)],

where (X)is thepublic X’send-point asigned by its NAT. Thus, when the peers receive this message will send a [hello]to (X),creating a translation entry in their NATs. After that,Xwill be able to communicate with all the peers of the team, even ifXisbehind a NAT.

Summarizing, when an arriving peer Xwants to join the team Tand afterreceiving the list of peers in Tfrom S,Smust carry out the steps refered in Algorithm 1and each peer in𝒩(T)mustfollow the steps in Algorithm 2.

For each peer P
in 𝒩(T):

Send [say hello to (X)]
to P.

Algorithm 1: : NTS algorithm for S.

Receive [say hello to (X)]
from S.

Send [hello] to (X).

Algorithm 2: : NTS algorithm for each peer
P
in 𝒩(T).

Unfortunately, symmetric NATs behaviour is diﬀerent and the previously proposedalgorithm does not work. A symmetric NAT assigns a diﬀerent public port for each(public source port, public source IP address, private IP address, private port)combination. This means that, if a peer that is behind a symmetric NAT it will usediﬀerent public NAT ports for communicating with any other peer and the splitter.Moreover, the algorithm used by a symmetric NAT to allocate the public ports is notstandardized. Some NATs will assign ports sequentially (depending on theiravailability) and other will assign them at random. Notice also that symmetricNATs, by deﬁnition, are incompatible with the pure P2PSP philosophy. Eachpeer must sends messages to the rest of peers of the team and this means that|T|portswill be allocated for each peer that is behind a symmetric NAT. For all thesereasons, in order to run the P2PSP under symmetric NATs, the conﬁgurationpresented in Section7.6should be used. However, if this solution if not factible,|T|issmall and the number of peers behind the symmetric NAT is also small, the followingsimple solution could be tried.

The ﬁrst problem to solve here is to identify those peers that are behind symmetricNATs because their NAT traversal set of rules will be diﬀerent of the rules that mustfollow those peers that are behind cone NATs. To indentify a symmetric NAT-ed peerX,the splitter sends to the monitor peer the public end-point ofXandthe monitor peer search this end-point in his list of peers. If the peer is in the list,Xis behind a coneNAT, otherwise, Xis behind a symmetric NAT. Algorithm??sumarizes this procedure.

Send [(X)]
to P0.

Receive [type of X’s
NAT].

Algorithm 3: : NTS algorithm for
S
to determine the type of NAT that an incomming peer
X
uses.

Receive[(X)]
from S.

if (X) is
in T,
then:

Send [X’s
NAT is a cone NAT] to S.

else:

Send [X’s
NAT is a symmetric NAT] to S.

Algorithm 4: : NTS algorithm for
P0
to determine the type of NAT that an incomming peer
X
uses.

Most NATs use the port preservation port allocation technique which meansthat if a process that runs in the (NAT-ed) private network uses a local portℒ, thenthe NAT will try to use the same port at the public side, and if the public portℒhas been already allocated then the NAT will check if portℒ+∞is free.Supposing this and taking into account that using the rules 5and??of the DBS will allocatethe ports ℒ,ℒ+1,⋯,ℒ+|T|where, ℒwill be the port assigned for the NAT to talk with the splitter,ℒ+1will be the port assigned to talk with the ﬁrst peer of the list of peers andℒ+|T|willbe the port to talk with the last peer of the list of peers. Notice that it is possible todetermine whether the ports used by the symmetric NAT of the incoming peerXareℒ,ℒ+1,⋯,ℒ+|T|after receiving the[hello] messages from Xto the rest of peers of the team, even if there are peers behindsymmetric NATs, provided these peers have sent a [hello] towardsXusing the correspondingpublic port at X’sNAT. Therefore, if after this phase of “regards” betweenXand the rest of peers of the team, all these peers have received a [hello] fromX, then we canconclude that Xhas joined to the team correctly.

Algorithms5and 6sumerize the steps that must be performed in order to incorporate to ateam a peer Xthat is behind a symmetric NAT.

Finally, we would like to stress that this algorithm must be executed only by thosepeers that are behind a (port-)restricted-cone or symmetric NAT. The rest of peers of theteam do not need to be aware of the use of these techniques.